The United States Computer Emergency Readiness Team (US-CERT) has found a security hole in Safari, with which a hacker could run arbitrary code at the privilege level of the current user account if the victim visits a malicious Web page.
Outlined Monday on the CERT Web site, this problem happens because Safari fails to properly handle references to window objects in the HTML DOM, and allows DOM window references to exist even if the corresponding window object has been deleted. The remaining reference pointer can be used by JavaScript to run code and be used to exploit the user. Apparently there are already public exploits available for this vulnerability.

So far the problem has been confirmed to be on the Windows version of Safari; however, it could also exist on the Mac.

There are no known fixes as yet, and it will be up to Apple to fix the problem fully with a Safari update. In the meantime, there are several things you can do to both reduce the potential harm from exploits of this vulnerability, as well as prevent it from being used.

Use nonadministrative accounts.
This vulnerability is only able to run code with the permissions of the current user on the system. If you are using an administrative account, then there is more potential for harm from an exploit.